tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

When

2026-06-15 20:19 UTC

Where

Global (internet)

Category

cyber_advisory · pip

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. `HTTPServer` is not affected in its default configuration, but it is if `decompress_request=True` is set. This bug is fixed in Tornado 6.5.6. `max_body_size` is now checked both for the compressed and cumulative decompressed size of the response. Prior to upgrading, this issue can be mitigated by setting `decompress_response=False` or using `CurlAsyncHTTPClient`.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-15 20:19 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
  Shared actorsInvolves pip/tornado, pip/tornado· 85% match
• Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
  Shared actorsInvolves pip/tornado, pip/tornado· 85% match

← Back to the live map